1. How Many Million BIOSes Would you Like to Infect?
Corey Kallenberg & Xeno Kovah

2. About us We do digital voodoo Newly independent as of January 2015
The only company focused primarily on PC firmware security

3. This talk has 2 main points
Because almost no one applies BIOS patches, almost every BIOS in the wild is affected by at least one vulnerability, and can be infected
The high amount of code reuse across UEFI BIOSes means that BIOS infection is automatable and reliable

4. What’s past is prologue
Some (mostly-multi-vendor) BIOS vulnerabilities disclosed since 2012:
CERT VU#127284[0], [1](“Ruy Lopez”), [1](“The Sicilian”), [2] (“Setup bug”), [4] (“Charizard”), [5](“King & Queen’s Gambit”), [6] (“noname”), [7] (“Speed Racer”), [8] (“Venamis”), [9](“Snorlax”)
And a bunch from others that didn’t get VU#s

5. NOT-SMM
SMM

6. Incursions (VU#631788)
In 2008 ITL disclosed an SMM vulnerability where on some Intel motherboards SMM code called through non-SMRAM function pointer table
Low hanging fruit SMM vulnerability!
How prevalent are low hanging fruit SMM vulnerabilities today?

7. But how do you hit what you cannot see?
But how do you hit what you cannot see?

8. Option 1: Reprogram firmware to disable SMRAM protection
Disable TSEG
Disable SMRRs

9. Option 2: Use the power of the dark side

10. We did a little RE work to determine which SMM code we could invoke from the OS by writing to port 0xB2
In this case, function 0xDB05EDCC within SMM can be reached by writing 0x61 to port 0xB2
Almost every UEFI system we surveyed used this format to record reachable SMM code

11. We found a lot of these vulnerabilities
They were so easy to find, we could write a ~300 line IDAPython script that found so many I stopped counting and (some) vendors stopped ing me back

12. You’re the next contestant on… Is it vulnerable???
Hint: Hexrays detects the external memory accesses and colors them red.
When you see red, bad!

22. Looking at Acer in IDA

23. Vendor Response
Many vendors didn’t reply to our s and/or claimed they weren’t vulnerable
They are vulnerable
Dell responded and is pushing patches for all of our disclosures
Lenovo also responded and is releasing patches

24. What’s possible once you’ve broken into BIOS/SMM?

25. Welcome to my home in the Deep Dark
LightEater
Hello my friends.
Welcome to my home in the Deep Dark
Voice track: We wanted to show that SMM attackers are the most privileged attackers, and are capable of doing all the attacks that lesser privileged attackers can do

26. Tails says that because it runs independent of the operating system, if you have previously been compromised by software means (not physical access), you should be safe…

27. Exploit delivered remotely on target Windows 10 system.
No physical access is necessary
All you need is a remote cmd.exe with admin access
Exploit bypasses BIOS flash protection and reprograms the portion of the flash associated with System Management Mode

28. Malware that was delivered remotely to the main OS (Windows 10) waits in the background and runs in System Management Mode
It waits for your secrets to be revealed

29. If you are practicing OPSEC, perhaps you have a private and private key that you only access from the “secure” Tails so to avoid having confidential communications compromised

30. Using this style of OPSEC, the password for your key should never be entered on your normal operating system (Win10 in this case).
Since we are in Tails, we are okay though…

31. Hence all of your confidential communications should remain shielded from any malware that was delivered to your Win10 installation
Using our malware, this isn’t the case…

32. Runs independent of any operating system you put on the platform
Has access to all of memory
Can steal all of your secrets no matter what “secure operating system” you are using

33. Tails also attempts to erase memory to scrub any residual secrets that may be exposed to the main operating system

34. Our malware still has access to it, as we store the secrets to non-volatile storage so we can exfil at earliest convenience
So even if you were to use Tails in offline mode, to try to avoid exfiltration of secrets, you can still be owned

35. Time to rethink this…

36. All fall before a LightEater
The US Air Force made the “Lightweight Portable Security” (LPS) Live CD1 with much the same purpose as Tails:
“LPS differs from traditional operating systems in that it isn't continually patched. LPS is designed to run from read-only media and without any persistent storage. Any malware that might infect a computer can only run within that session.”
“LPS-Public turns an untrusted system (such as a home computer) into a trusted network client. No trace of work activity (or malware) can be written to the local computer. Simply plug in your USB smart card reader to access CAC- and PIV-restricted US government websites.”
Attackers that infect BIOS will always win against non-persistent OSes, because they can persist across reboots, and live in OS-independent SMM
1http://

38. Where’s the architectural flaw?
The fact that SMM can read/write everyone’s memory is an x86 architectural vulnerability
No security system (virtualization, live CDs, normal OSes) is secure until this is fixed
We’ll come back later to how we intend to fix it

39. This talk has 2 main points
Because almost no one applies BIOS patches, almost every BIOS in the wild is affected by at least one vulnerability, and can be infected
The high amount of code reuse across UEFI BIOSes means that BIOS infection is automatable and reliable

40. Further Tales from the Deep Dark
I’m going to explain why infecting BIOSes is a lot easier than you may have realized

41. Infection Decision Tree
Want to infect BIOS
UEFITool
FTW? No
Publicly defeated
sanity checks?
Find hook points
No/Don’t Know
Yes
Yes
No-op checks
Insert hooks
BIOS Infected

42. Infection Decision Tree
Want to infect BIOS
MSI Demo
UEFITool
FTW? No
Publicly defeated
sanity checks?
Find hook points
No/Don’t Know
Yes
Yes
No-op checks
Insert hooks
BIOS Infected

43. “UEFITool FTW” Infection
As done on the MSI
Use Nikolaj Schlej’s excellent UEFITool1 to replace the module you care about with one that includes malicious functionality
Reflash w/ exploit FTW
hmm...
1https://github.com/LongSoft/UEFITool

44. Infection Decision Tree
Want to infect BIOS
HP Demo
UEFITool
FTW? No
Publicly defeated
sanity checks?
Find hook points
No/Don’t Know
Yes
Yes
No-op checks
Insert hooks
BIOS Infected

45. Sanity Check Speed Bumps
Some vendors like HP build in sanity checks
Descriptions of bypasses can be easily found on the net, and would be developed quietly by anyone who actually cared enough
We created a 9 byte signature for one HP sanity check by following the steps in a public blog post
And 2 variant signatures based on looking at a few models where the signature didn’t fire
The 3 signature variants matched 570/789 HP BIOS images
Could be improved further, but we’re just making a point
If signature found, replace the last 2 bytes w/ 0x9090
Goto previous slide

46. LightEater on HP
For a change of pace, let’s see how easy evil-maid / border-guard / interdiction attacks are!
NIC-agnostic exfiltration of data via Intel Serial-Over-LAN
Option to “encrypt” data with bitwise rot13 to stop network defenders from creating a “Papa Legba” snort signature :P

47. A word about AMT SOL
Unlike past work for low level networking[10-12], we don’t need to know anything about the NIC
We write to a fake serial port that AMT creates
AMT magically translates it to Intel’s proprietary SOL protocol (that there’s no wireshark dissector for)
LightEater
OOB Traffic
SOL

48. Infection Decision Tree
Want to infect BIOS
Asus Demo
UEFITool
FTW? No
Publicly defeated
sanity checks?
Find hook points
No/Don’t Know
Yes
Yes
No-op checks
Insert hooks
BIOS Infected

49. “BIOSkit” Infection
Sometimes UEFITool doesn’t work, and you don’t care enough to RE why
Fall back to the generic technique of “hook-and-hop”, just like a normal bootkit
Just starting earlier, and more privileged
You’re more or less guaranteed that there’s an easily targeted, uncompressed, easy-to-hook starting location in the PEI core file

50. Reminder of how normal bootkits work
START
END
Modified from

51. The UEFI skeleton (that all vendors just add their own meat to)
PEI = Pre EFI Initialization
PEIM = PEI Module
IPL = Initial Program Loader
DXE = Driver Execution Environment
SMM = System Management Mode
BDS = Boot Device Select
SMM
Driver
SMM Core
SMM Dispatcher
PEIM
DXE
Driver
DXE IPL
PEIM
SMM IPL
Dxe
Driver
PEI Core
DXE Core
BDS
PEI Dispatcher
DXE Dispatcher
To normal
bootloader

52. Minimal hook paths in UEFI
DXE IPL
PEIM
Uncompressed
On Flash
DXE Core
BDS
To normal
bootkitting

53. Minimal hook paths in UEFI
SMM
Driver
Reside in the Deep Dark
SMM Core
SMM Dispatcher
DXE IPL
PEIM
SMM IPL
Dxe
Driver
Uncompressed
On Flash
DXE Core
DXE Dispatcher

54. LightEater on ASUS Uses hook-and-hop from DXE IPL to SMM
From SMM attacks Windows 10
Gets woken up every time a process starts, prints information about the process

55. Evidence of Scalability of Infection
We wanted to show that the code an attacker wants to find can easily be identified with simple and stupid byte signatures
Only took a couple days to develop

56. Example: DXE to BDS transition
EDK open source code for DXE -> BDS transition
DxeMain.c //
// Transfer control to the BDS Architectural Protocol
gBds->Entry (gBds);
Equivalent exact assembly found in 6 separate vendors’ BIOSes
4C 8B 1D 8A AF mov r11, cs:gBDS
49 8B CB mov rcx, r11
41 FF call qword ptr [r11]
And I’m just trying to prove a point, duh :P
Yara rule = {4C 8B 1D [4] 49 8B CB 41 FF 13}
(yes, I know, I obviously should technically make it register-independent, but I don’t care because it worked well enough as you’ll see in a second :P)
(when you make your signatures, you can make them as uber1337 as you want :P)

57. Analysis targets
Created YARA signatures from what the code looked like on 9 systems
Key for next slides: “1,1,2” = “PEI_TO_DXEIPL variant 1, DXEIPL_TO_DXE variant 1, and DXE_TO_BDS variant 2 matched for this system”
“PEI_TO_DXEIPL.rule”
4 variants
“DXEIPL_TO_DXE.rule”
3 variants
DXE IPL
PEIM
“DXE_TO_BDS.rule”
3 variants
PEI Core
DXE Core
BDS

58. Some Analysis Results
Teddy Reed graciously provided the data set from his 2014 Infiltrate talk1
2158 BIOS images spidered from Lenovo, HP, Dell, Gigabyte, & Asrock’s websites
Haven’t counted how many individual models yet
Signature scanning results:
PEI_TO_DXEIPL: 3 misses (1 model)
DXEIPL_TO_DXE: 0 misses
DXE_TO_BDS: 4 misses (2 models)
1“Analytics, and Scalability, and UEFI Exploitation (Oh My)” – Teddy Reed

59. For reading at your leisure (from Teddy Reed’s data set) (2158 images, 7 misses)
Lenovo (442 images) - PEI_TO_DXEIPL: 0 misses - DXEIPL_TO_DXE: 0 misses - DXE_TO_BDS: 2 misses HP (388 images) - DXE_TO_BDS: 0 misses Dell (381 images) - PEI_TO_DXEIPL: 3 misses
Gigabyte (347 images) - PEI_TO_DXEIPL: 0 misses - DXEIPL_TO_DXE: 0 misses - DXE_TO_BDS: 0 misses Asrock (596 images)

60. For reading at your leisure (from a completely different LegbaCore data set) (1003 images, 5 misses)
Lenovo (213 images) - PEI_TO_DXEIPL: 0 misses - DXEIPL_TO_DXE: 0 misses - DXE_TO_BDS: 0 misses HP (401 images) Dell (348 images)
LG (13 images)
- PEI_TO_DXEIPL: 0 misses
- DXEIPL_TO_DXE: 0 misses
- DXE_TO_BDS: 1 misses
Asus (13 images)
- PEI_TO_DXEIPL: 2 misses
- DXE_TO_BDS: 2 misses
Acer (15 images)
- DXE_TO_BDS: 0 misses

61. HP Example
1,1,2
1,1,2
3,1,3
1,1,2

62. Extrapolation to millions
From

63. Extrapolation to millions
So if almost no one applies BIOS vulnerability patches…
And if my tiny set of signatures can reliably find hook points and disable sanity checks in the machines HP is currently selling…
And if HP shipped ~15M PCs in Q4 2014…
Then we would understand that millions of these BIOSes could be reliably infected, yes?

64. Acer 2,2,1 2,2,1 2,2,1 Aspire S7-392 TravelMate B113 TravelMate P245
Veriton Z26600G
2,2,1
TravelMate P255
TravelMate P455
TravelMate P645
Veriton Z4810G
2,2,1
Veriton M4630G
Veriton X2630G
Veriton M2631
Veriton N4630G
2,2,1

65. ASUSPRO ADVANCED B53S
BU201
B451JA
B400A
Asus
miss,2,1
2,2,1
ASUSPRO ESSENTIAL P53E
PU551JH
P751JA
P55VA
miss,2,1
2,2,1
ESC2000 G2
ESC4000 G2
TS500-E8-PS4
RS500-E8-RS4
2,2,1
4,2,miss

66. LG
PC Gram 13Z940
PC Gram 14Z950
PC Gram 15Z950
Ultra PC 14U530
2,1,1
4,1,3
Ultra PC 15U530
Ultra PC 15U340
15N540
22V240
2,1,1
4,1,1
Tab Book 10T550
Tab Book 11T740
A75CV
A75PS
4,1,miss
2,1,1
2,2,1
It was about this time I got really tired of making these slides and manually downloading BIOSes ;)

67. A little good news before we go
Were working with vendors like Dell to do security assessments to find and fix issues before they ship on new systems. Lenovo and others are also on the list.

68. A little good news before we go
We’re also working with Intel to try to create the first commercial-grade SMM isolation
Intel has the ability for their hardware virtualization to jail SMM
We will then work with BIOS vendors to incorporate the technology into shipping systems
End result will be that even if attackers break into SMM, they can’t read/write arbitrary memory
And we could detect attackers through measurements.

69. Conclusions

70. This talk has 2 main points
Because almost no one applies BIOS patches, almost every BIOS in the wild is affected by at least one vulnerability, and can be infected
The high amount of code reuse across UEFI BIOSes means that BIOS infection is automatable and reliable

71. What we showed
All systems we have looked at contain Incursion vulnerabilities that allow breaking in to SMM
Incursion vulnerabilities can be found programatically
The LightEater SMM attacker can perform any attack that is available to lesser attackers
We showed stealing GPG keys/messages from memory (on MSI), data exfiltration over the network (on HP), Windows kernel rootkit behavior (on Asus)
Showed how a physical BIOS attack can be done in 2 minutes by an unskilled accomplice (maid/border guard)
Homogeneity in UEFI BIOSes for the things an attacker cares about. Creating signatures from ~10 BIOSes is sufficient to find matches on thousands of images (which relate to millions of shipped machines)

72. Conclusions
2 guys + 4 weeks + $2k = Multiple vendors’ BIOSes infected, with multiple infection capabilities
One hand (purposely) tied behind our backs: Didn’t use special debug hardware. Serial prints only!
Do you really think that Five Eyes are the only ones who have developed capabilities in this space?
“Absence of evidence is not evidence of absence”
It’s time to start checking your firmware
Stop giving firmware attackers a free pass and indefinite invisibility
It’s time to start patching your BIOSes
Demand the capability from your patch management software
It’s time to demand better BIOS security from your OEM
We’ll eventually make a name-and-shame list of vendors who are perennially leaving their customers open to BIOS attacks

73. Pour a 40 on the curb for the PCs we’ve lost…
Toshiba Tecra…
Short circuited during disassembly
Rest in pieces buddy
Short circuited. Rest in pieces buddy.

74. Contact Twitter: @coreykal, @xenokovah, @legbacore
{corey,
for our GPG keys
As always, go check out OpenSecurityTraining.info for the free classes from Corey and Xeno on x86 assembly & architecture, binary executable formats, stealth malware, and exploits.
Then go forth and do cool research for us to read about!

75. Throwaway Demo
People sometime ask us “Can the ‘Dual BIOS’ recovery mechanism on my motherboard prevent bricking and/or remove malware?”
Our answer usually was “We don’t know, because no corporate machines have that feature, so they wouldn’t be protected”

76. Verdict

77. References
[0] Attacking Intel BIOS – Rafal Wojtczuk and Alexander Tereshkin, July 2009http://invisiblethingslab.com/resources/bh09usa/Attacking%20Intel%20BIOS.pdf (CERT never posted?!) [1] Defeating Signed BIOS Enforcement – Kallenberg et al., Sept (CERT hasn’t posted yet despite request) [2] All Your Boot Are Belong To Us (MITRE portion) – Kallenberg et al. – Mar. 2014, delayed from publicly disclosing potential for bricking until HITB at Intel’s request [3] All Your Boot Are Belong To Us (Intel portion) – Bulygin et al. – Mar [4] Setup for Failure: Defeating UEFI Secure Boot - Kallenberg et al., Apr (CERT hasn’t posted yet despite request)

78. References
[5] Extreme Privilege Escalation on UEFI Windows 8 Systems – Kallenberg et al., Aug [6] Attacks against UEFI Inspired by Darth Venamis and Speed Racer – Wojtczuk & Kallenberg, Dec [7] Speed Racer: Exploiting an Intel Flash Protection Race Condition – Kallenberg & Wojtczuk, Dec [8] Attacking UEFI Boot Script – Wojtczuk & Kallenberg, Dec [9] “Snorlax” bug – Cornwell, et al., Dec (CERT hasn’t posted yet despite request)

79. References
[10] Deeper Door – Embleton & Sparks, Jul – [11] Can you still trust your network card? - Duflot, et al., Mar [12] The Jedi Packet Trick takes over the Deathstar - Arrigo Triulzi, Mar [13] “Mebromi: the first BIOS rootkit in the wild” [14] “NSA Speaks Out on Snowden Spying”, Dec 2012http:// [15] "To Protect And Infect” - Jacob Applebaum, Dec (contains leaked classified NSA documents) [16] “U.S. Gas, Oil Companies Targeted in Espionage Campaigns”, Jan. 2013http://threatpost.com/u-s-gas-oil-companies-targeted-in-espionage-campaigns/103777

80. References
[X] See all the related work we’re aware of here:

81. Backup
“Should you worry when the skullhead is in front of you? Or is it worse because it’s always waiting, where your eyes don’t go?”
They Might Be Giants
“the skullhead” is a metaphor for your own mortality ;)